b"United States Department of Agriculture\nOffice of Inspector General\n\n\n\n\nU.S. Department of Agriculture's Office of\nHomeland Security and Emergency\nCoordination - Classification Management\n\n\n\n\n                                          Audit Report 61701-0001-32\n                                          September 2013\n\x0c                                             U.S. Department of Agriculture\xe2\x80\x99s\n                                              Office of Homeland Security and\n                                     Emergency Coordination - Classification Management\n\n                                                      Audit Report 61701-0001-32\nWhat Were OIG\xe2\x80\x99s\nObjectives\nTo assess whether applicable\nclassification policies,\nprocedures, rules, and\nregulations have been adopted,     OIG reviewed USDA\xe2\x80\x99s process for classified\nfollowed, and effectively\nadministered within USDA;          documents in order to determine if PDSD is\nand identify whether they may      adequately managing USDA\xe2\x80\x99s classified\nbe contributing to persistent      national security information program, as\nmisclassification of material.\nThis audit was required by         required by the Reducing Over-\nPublic Law 111-258,                Classification Act.\nReducing Over-Classification\nAct.\n                                   What OIG Found\nWhat OIG Reviewed\n                                   This is the first of two reports required by the Reducing Over-\nOur audit examined USDA            Classification Act to determine the Department of Agriculture\xe2\x80\x99s\nguidance and 31 documents          (USDA) compliance with Federal regulations. The Act was designed\nclassified by USDA at the          to prevent information from being over-classified and over-\n\xe2\x80\x9cSecret\xe2\x80\x9d and \xe2\x80\x9cTop-Secret\xe2\x80\x9d          compartmentalized, and to promote information sharing, as prescribed\nlevel.                             by Federal guidelines.\nWhat OIG Recommends\n                                   The Personnel and Document Security Division (PDSD) focuses on\nUSDA should ensure records         safeguarding national security information within USDA. We found\nmanagement, Departmental           that PDSD lacks proper guidance for eight key areas relating to\nregulations, procedures, and       classification management, and does not have a records management\nthe classification guide reflect   system that would identify documents that need to be declassified or\nFederal classification             reviewed for continued national security. We also found that USDA\xe2\x80\x99s\nrequirements, and review all       classification guide was missing required elements needed for proper\nUSDA classified documents to       derivative classification decisions. PDSD also needs to improve its\ncorrect improper markings.         reviews of classified markings on documents. Additionally, PDSD\nThe original classification        does not always obtain and maintain adequate statistics related to the\nauthority should direct all        security classification program and USDA does not ensure that its\nsubordinate agencies to report     subordinate agencies are conducting self-inspections in accordance\nself-inspections and program       with regulations and procedures. Finally, PDSD\xe2\x80\x99s classification\nstatistics. PDSD should            management training content and documentation need to be improved,\ndevelop, record, and track all     particularly in providing required information to individuals with\ntraining that meets Federal        security clearances. As a result, there is a greater potential for over-\nrequirements.                      classifying or improperly releasing national security information.\n\n                                   OIG accepted management decision on 8 of the 17 recommendations;\n                                   however, further action from the agency is needed before\n                                   management decision can be reached for the other recommendations.\n\x0c\x0c                           United States Department of Agriculture\n                                  Office of Inspector General\n                                    Washington, D.C. 20250\nDATE:          September 27, 2013\n\nAUDIT\nNUMBER:        61701-0001-32\n\nTO:            Todd Repass, Jr.\n               Director\n               Office of Homeland Security and Emergency Coordination\n\nATTN:          Jennifer Wendel\n               Office of Homeland Security and Emergency Coordination\n               Audit Liaison\n\nFROM:          Gil H. Harden\n               Assistant Inspector General for Audit\n\nSUBJECT:       Classification Management\n\n\nThis report presents the results of the subject audit. Your written response to the official draft\nreport, dated September 19, 2013, is included in its entirety at the end of the report. Excerpts\nfrom your response and the Office of Inspector General (OIG) position are incorporated in the\nrelevant Findings and Recommendations sections of the report. Based on the written response,\nwe accept management decision on Recommendations 5, 7, 8, 9, 10, 13, 14, and 15 in the report.\nHowever, management decision has not been reached for Recommendations 1, 2, 3, 4, 6, 11, 12,\n16, and 17. Management decisions for the recommendations can be reached once you have\nprovided the additional information outlined in the report sections\xe2\x80\x99 OIG Position.\n\nIn accordance with Departmental Regulation 1720-1, please furnish a reply within 60 days\ndescribing the corrective actions taken or planned, and timeframes for implementing the\nrecommendations for which management decisions have not been reached. Please note that the\nregulation requires management decision to be reached on all recommendations within 6 months\nfrom report issuance, and final action to be taken within 1 year of each management decision to\nprevent being listed in the Department\xe2\x80\x99s annual Agency Financial Report. Please follow your\ninternal agency procedures in forwarding final action correspondence to the Office of the Chief\nFinancial Officer.\n\nWe appreciate the courtesies and cooperation extended to us by members of your staff during our\naudit fieldwork and subsequent discussions.\n\nThis report contains publically available information and will be posted in its entirety to our\nwebsite (http://www.usda.gov/oig) in the near future.\n\x0c\x0cTable of Contents\n\nBackground and Objectives ................................................................................... 1\nSection 1: Classified Management......................................................................... 5\nFinding 1: Effectiveness of Security Program Management .............................. 5\n         Recommendation 1 to the Personnel and Document Security Division\n         (PDSD) ..........................................................................................................10\n         Recommendation 2 to PDSD ......................................................................11\n         Recommendations 3 to the Senior Agency Official (SAO) ......................11\nFinding 2: Effectiveness of Original Classification Authorities ....................... 12\n         Recommendation 4 to the Original Classification Authorities (OCA) ...14\n         Recommendation 5 to PDSD ......................................................................14\nFinding 3: Effectiveness of Original Classification Decisions and\nDissemination Control Marking Decisions ......................................................... 15\n         Recommendation 6 to the OCA..................................................................16\n         Recommendation 7 to PDSD ......................................................................16\nFinding 4: Effectiveness of Derivative Classification Decisions and\nDissemination Control Marking Decisions ......................................................... 17\n         Recommendation 8 to PDSD ......................................................................19\n         Recommendation 9 to PDSD ......................................................................19\nFinding 5: Effectiveness of Security Self-Inspection Program ......................... 20\n         Recommendation 10 to the SAO ................................................................22\n         Recommendation 11 to the SAO ................................................................22\n         Recommendation 12 to the OCA................................................................23\nFinding 6: Effectiveness of Security Reporting.................................................. 24\n         Recommendation 13 to the SAO ................................................................25\n         Recommendation 14 to PDSD ....................................................................26\nFinding 7: Effectiveness of Security Education and Training .......................... 27\n         Recommendation 15 to PDSD ....................................................................29\n         Recommendation 16 to PDSD ....................................................................29\n         Recommendation 17 to PDSD ....................................................................30\nScope and Methodology ........................................................................................ 31\nAbbreviations ........................................................................................................ 33\n\x0cExhibit A: Effectiveness of Classification Management Policies and Control\nMarking Guidelines .............................................................................................. 34\nAgency's Response ................................................................................................ 39\n\x0cBackground\xc2\xa0and\xc2\xa0Objectives\xc2\xa0\nBackground\nPublic Law 111-258, Reducing Over-Classification Act, section 6(b), requires the Office of\nInspector General (OIG) of each Department or agency with an officer or employee who is\nauthorized to make original classifications, in consultation with the Information Security\nOversight Office (ISOO),1 to carry out at least two evaluations before September 30, 2016. The\ninitial evaluation shall be completed by September 30, 2013. The second required evaluation\nshould review progress since the first review and be completed no later than September 30, 2016.\n\nExecutive orders since 1940 have directed Governmentwide classification standards and\nprocedures. On December 29, 2009, President Obama signed Executive Order (E.O.) 13526,\nClassified National Security Information, which establishes the current principles, policies, and\nprocedures for classification. The E.O. prescribes a uniform system for classifying,\nsafeguarding, and declassifying national security information. E.O. 13526 also states that this\nnation\xe2\x80\x99s progress depends on the sharing of information, both within the Government and with\nthe American people. Accordingly, protecting information critical to national security and\ndemonstrating a commitment to open Government through accurate and accountable application\nof classification standards and routine, secure, and effective declassification are equally\nimportant priorities.\n\nPursuant to this order, classified information that is determined to require protection against\nunauthorized disclosure to prevent damage to national security must be marked appropriately to\nindicate its classified status. The three U.S. classification levels, and correlating expected\ndamage to U.S. security if the information is disclosed inappropriately, are:\n\n    \xc2\xb7   Top Secret \xe2\x80\x93 shall be applied to information, the unauthorized disclosure of which\n        reasonably could be expected to cause exceptionally grave damage to the national\n        security, which the original classification authority is able to identify or describe.\n    \xc2\xb7   Secret \xe2\x80\x93 shall be applied to information, the unauthorized disclosure of which reasonably\n        could be expected to cause serious damage to the national security, which the original\n        classification authority is able to identify or describe.\n    \xc2\xb7   Confidential \xe2\x80\x93 shall be applied to information, the unauthorized disclosure of which\n        reasonably could be expected to cause damage to the national security, which the original\n        classification authority is able to identify or describe.\n\nExcept as otherwise provided by statute, no other terms shall be used to identify U.S. classified\ninformation. If significant doubt exists about the appropriate level of classification, information\nshall be classified at the lower level.\n\n\n\n1\n ISOO is responsible to the President for policy and oversight of the Governmentwide security classification system\nand the National Industrial Security Program. ISOO is a component of the National Archives and Records\nAdministration and receives policy and program guidance from the National Security Council.\n\n                                                                        AUDIT REPORT 61701-0001-32               1\n\x0cInformation may be originally classified only by original classification authorities (OCA). These\nare individuals authorized in writing, either by the President, the Vice President, or agency heads\nor other officials designated by the President, to initially classify information.\n\nOn December 29, 2009, the President designated the Secretary of Agriculture to classify\ninformation originally as \xe2\x80\x9cSecret.\xe2\x80\x9d OCAs must receive training on proper classification prior to\noriginally classifying information and at least once per calendar year after that. To make an\noriginal classification decision, an OCA must determine if the information meets the following\nstandards for classification:\n\n    \xc2\xb7    The information is owned, controlled, or produced by or for the U.S. Government;\n    \xc2\xb7    The information falls within one or more of the eight categories (reasons for\n         classification) of information described in section 1.4 of E.O. 13526; and\n    \xc2\xb7    The unauthorized disclosure of the information reasonably could be expected to result in\n         damage to the national security, which the OCA is able to identify or describe.\n\nBy definition, original classification precedes all other aspects of the security classification\nsystem, including derivative classification,2 safeguarding, and declassification. The term \xe2\x80\x9cover-\nclassification\xe2\x80\x9d is not defined in national policy. E.O. 13526 does define \xe2\x80\x9cclassification\xe2\x80\x9d and\n\xe2\x80\x9cdeclassification.\xe2\x80\x9d During the course of our fieldwork and in this report, we have used a\nworking definition of \xe2\x80\x9cover-classification,\xe2\x80\x9d which was supplied by ISOO: the designation of\ninformation as classified, when the information does not meet one or more of the standards for\nclassification under section 1.1 of E.O. 13526. If significant doubt exists about the need to\nclassify information, it should not be classified.\n\nThe Office of Homeland Security and Emergency Coordination (OHSEC), formed in 2010, is\none of 13 offices that fall under Departmental Management within the U.S. Department of\nAgriculture (USDA). OHSEC provides Departmental leadership to USDA on Governmentwide\ninitiatives in various areas, including the safeguarding of classified national security information\nwithin USDA and managing security clearances. Within OHSEC there are six divisions,\nincluding the Personnel and Document Security Division (PDSD).\n\nPDSD focuses on safeguarding national security information within USDA. To accomplish this,\nPDSD\xe2\x80\x99s Information Security Branch is responsible for establishing and implementing USDA\xe2\x80\x99s\ninformation security program. The Information Security Branch manages the document security\nclassification function, promulgates policies and regulations concerning the safeguarding of\nnational security information, provides technical support on information security matters to\nUSDA agencies and staff offices, and conducts information security training.\n\nThe USDA Classified National Security Information Program Regulation (Departmental\nRegulation (DR) 3440-001) was issued on October 5, 2011, to prescribe Departmental roles and\nresponsibilities for the classification, declassification, and safeguarding of classified national\n\n\n2\n  Derivative classification means the incorporating, paraphrasing, restating, or generating in new form information\nthat is already classified, and marking the newly developed material consistent with the classification markings that\napply to the source information.\n\n2       AUDIT REPORT 61701-0001-32\n\x0csecurity information. This regulation designates the Director of OHSEC as the Senior Agency\nOfficial (SAO), or primary liaison between USDA and ISOO, responsible for identifying\nnecessary resources to manage the program and providing program oversight.\n\nSimilarly, the USDA Classified National Security Program Manual (Departmental Manual (DM)\n3440-001), issued on May 1, 2008, establishes the policies and procedures that govern the USDA\ninformation security program, which includes uniform requirements and guidance for\nclassifying, safeguarding, declassifying, and destroying classified national security information,\nwhether originated by or released to USDA.\n\nAll personnel with an active security clearance can perform derivative classification. All\npersonnel who apply derivative classification markings must receive training on the proper\napplication principles of E.O. 13526 prior to derivatively classifying information and at least\nonce every 2 years thereafter. Information may be derivatively classified from a source\ndocument or documents, or through the use of a classification guide.\n\nFederal Government organizations that create or hold classified information are responsible for\nits proper management. Classification management includes developing classification guides\nthat provide a set of instructions from an OCA to derivative classifiers that identify elements of\ninformation regarding a specific subject that must be classified, and the level and duration of\nclassification for each element. One of the most effective ways to protect classified information\nis through applying standard classification markings and dissemination control markings.\nEffective program management also includes comprehensive mandatory training for classifiers\nand a robust self-inspection program.\n\nOne of the significant changes to the classification program, pursuant to the issuance of\nE.O. 13526, is that classified information shall be made accessible to the maximum extent\npossible to authorized holders. An additional significant change was that classified information\noriginating in one agency may be disseminated to another agency or U.S. entity by any agency to\nwhich it has been made available without the consent of the originating agency, as long as the\nrecipients meet the criteria for authorized holders, unless the originating agency has obtained\napproval by ISOO or the Director of National Intelligence, as applicable, to restrict\ndissemination.\n\nIn June 2006,3 the Government Accountability Office conducted an evaluation of one agency\xe2\x80\x99s\ninformation security program and found that a lack of oversight and inconsistent implementation\nof the agency\xe2\x80\x99s information security program are increasing the risk of misclassification.\nMisclassification of national security information impedes effective information sharing, can\nprovide adversaries with information to harm the U.S. and its allies, and incurs millions of\ndollars in avoidable administrative costs. The Government Accountability Office identified\nweaknesses in the areas of classification management training, self-inspections, and security\nclassification guide management.\n\n\n\n3\n Managing Sensitive Information: DOD Can More Effectively Reduce the Risk of Classification Errors, GAO-06-\n706, June 2006.\n\n                                                                     AUDIT REPORT 61701-0001-32               3\n\x0cObjectives\nPublic Law 111-258, section 6(b), requires the Office of Inspector General (OIG) of each\nDepartment or agency with an officer or employee who is authorized to make original\nclassifications, in consultation with ISOO to:\n\n         assess whether applicable classification policies, procedures, rules, and regulations have\n         been adopted, followed, and effectively administered; and\n    \xc2\xb7    identify policies, procedures, rules, regulations, or management practices that may be\n         contributing to persistent misclassification.\n\n\n\n\n4       AUDIT REPORT 61701-0001-32\n\x0cSection\xc2\xa01:\xc2\xa0Classified\xc2\xa0Management\xc2\xa0\n\nFinding 1: Effectiveness of Security Program Management\nUSDA needs improvement in its management of the classified national security information\nprogram. PDSD does not have a system of records management that facilitates the\ndeclassification of documents, pursuant to the provisions of automatic declassification, nor has it\nupdated the Departmental manual (DM 3440-001) to reflect the new requirements of E.O. 13526.\nThis occurred because PDSD considered a records management system to be the same as an\ninventory of classified information, which is not required. PDSD also has not prioritized\nupdating the Departmental manual. Without a records management system and current policies,\nthere is a potential that USDA documents could be over-classified, documents may be\nmaintained beyond the declassification date (preventing information sharing), and national\nsecurity information could be released.\n\nGeneral Program Management\n\nGeneral program management refers to the responsibilities of Departments and agencies\nimplementing the program under E.O. 13526.4 These include the responsibilities of the agency\nhead to demonstrate personal commitment to the program, commit necessary resources to ensure\nits effective implementation, and to appoint a Senior Agency Official (SAO) to direct and\nadminister the program. The SAO is responsible for overseeing the program established under\nE.O. 13526, issuing implementing regulations, establishing and maintaining security education\nand training programs, and establishing and maintaining an ongoing self-inspection program.\n\nWe reviewed the classification management program and the use of dissemination control\nmarkings to ensure that necessary resources have been dedicated for the effective\nimplementation of the program, that agency records systems are designed and maintained to\noptimize the appropriate sharing and safeguarding of classified information, and that an SAO has\nbeen designated to direct and administer the program.\n\nAccording to DR 3080-001, a records management system shall enable the identification,\npreservation, and retirement of permanent records.5 Additionally, E.O. 13526 states \xe2\x80\x9cto the\nextent practicable, agencies shall adopt a system of records management that will facilitate the\npublic release of documents at the time such documents are declassified pursuant to the\nprovisions for automatic declassification.\xe2\x80\x9d6 However, we identified that 8 of the 31 documents\nwe reviewed were being maintained after the declassification date, without having been reviewed\nfor an extension or exemptions, as outlined in the Mandatory Review for Declassification.7\nTherefore, the information was not being reviewed to determine if it could be declassified and\nshared, which in turn has the potential to hinder information sharing.\n\n\n4\n  E.O. 13526, December 29, 2009, was published in the Federal Register (FR) volume 75, number 2, page 707,\nJanuary 5, 2010.\n5\n  Records Management (DR 3080-001), April 11, 2007.\n6\n  75 FR 707, section 3.2(e), January 5, 2010.\n7\n  Title 32, Code of Federal Regulations (CFR), part 2001.33, July 1, 2010 Edition.\n\n                                                                      AUDIT REPORT 61701-0001-32             5\n\x0cPDSD stated that it did not maintain an inventory of classified documents below the top-secret\nlevel because it was not required. While we acknowledge that a complete inventory may not be\nrequired, a records management system is required.\n\nEven though an SAO has been assigned to administer the classified national information\nprogram, PDSD also needs to dedicate the resources to develop and administer a records\nmanagement system. Doing so would enable PDSD to identify those documents that need to be\nreviewed for continued national security or declassified, and reduce the risk of over-\nclassification or a lack of sharing of information.\n\nOn August 13, 2013, PDSD staff provided documentation showing that a review of one of the\nUSDA agencies\xe2\x80\x99 documents being maintained has been initiated.\n\nEffectiveness of Classification Management Policies and Control Marking Guidelines\n\nAgencies are required to promulgate regulations to implement their classified national security\ninformation programs in accordance with E.O. 13526 and 32 Code of Federal Regulations (CFR)\n2001. We reviewed Departmental Regulation (DR) 3440-001 and Departmental\nManual (DM) 3440-001 to determine whether the eight key areas\xe2\x80\x94original classification\nauthority, general program management responsibilities, original classification, derivative\nclassification, declassification, self-inspections, reporting and definitions, and security education\nand training\xe2\x80\x94were covered and adopted in accordance with the E.O. and the CFR.8\n\nBased on our review, we noted that policies had not been adopted in accordance with E.O. 13526\nand 32 CFR 2001 for all eight key areas. (See exhibit A for areas where policies need to be\naddressed.) In addition to the two key areas noted9 (general program management and\nclassification challenges), we found issues with the remaining six key areas:\n\n    \xc2\xb7    Classification authority: The E.O. provides that the Secretary of Agriculture is\n         designated as the authority to originally classify information to the Secret level and\n         specifically prohibits the Secretary of Agriculture from delegating the authority granted\n         in the order.10 However, both the Departmental regulation and manual allow the\n         Secretary of Agriculture to re-delegate the authority to the \xe2\x80\x9cDeputy Secretary.\xe2\x80\x9d11\n\n    \xc2\xb7    Original classification: The E.O. states \xe2\x80\x9cwhenever practicable, use a classified\n         addendum.\xe2\x80\x9d Rather than classifying the entire document, classified addenda would allow\n\n\n8\n  We used A Standard User\xe2\x80\x99s Guide for Inspectors General Conducting Evaluations Under Public Law 111-258,\nAppendix A - Agency Implementing Regulation Assessment Tool, which was provided by the Council of the\nInspectors General on Integrity and Efficiency to conduct this review. Appendix A focused on eight key areas to\ndetermine if applicable classification policies, procedures, rules, and regulations have been adopted in accordance\nwith E.O. 13526 and 32 CFR 2001.\n9\n  General Program Management and Classification Challenges (Declassification) are covered in separate sections of\nthis finding.\n10\n   75 FR 735-736, January 5, 2010.\n11\n   DR 3440-001 section 5.a., October 5, 2011, and DM 3440-001, chapter 2.1, May 1, 2008.\n\n6       AUDIT REPORT 61701-0001-32\n\x0c         for \xe2\x80\x9cdissemination at the lowest level of classification possible or unclassified form.\xe2\x80\x9d12\n         However, neither the Departmental regulation nor the manual addresses the use of a\n         classified addendum, thereby potentially limiting the information sharing of non-national\n         secure information.\n\n     \xc2\xb7   Derivative classification: According to the E.O. and the CFR, agencies must identify the\n         person applying the derivative classification markings by name and position, or by\n         personal identifier.13 Because the Departmental manual was last updated in May 2008,\n         approximately 2 years prior to the E.O., it does not address the requirements of\n         identifying the derivative classifier by name and position, nor does it refer to the\n         appropriate criteria.\n\n     \xc2\xb7   Self-inspections: The E.O. and CFR require essential elements of coverage and external\n         reporting of self-inspections.14 Neither the Departmental regulation nor the manual\n         addresses coverage and external reporting when conducting self-inspections.\n\n     \xc2\xb7   Reporting and definitions: Agencies are required to report to the Director of ISOO any\n         classified information that has been declassified without prior authority, as well as\n         information security violations that: are reported to the Legislative branch; may attract\n         public attention; involve large amounts of information; or reveal a systemic weakness in\n         classification or safeguarding of classified information.15,16 However, USDA does not\n         have a policy that requires PDSD to report all classified information that has been\n         declassified without prior authority or information security violations.\n\n     \xc2\xb7   Security education and training: The E.O. requires that original and derivative\n         classification authority be \xe2\x80\x9csuspended by the agency head or the senior agency official\n         designated\xe2\x80\x9d until training has been taken.17 Neither the Departmental regulation nor the\n         manual provides for suspension of either the original or derivative classification authority\n         (See Finding 7).\n\nIn general, PDSD staff agree that the Departmental regulation and manual need to be updated.\nWhen we asked why policies had not been updated, staff explained that they were working on a\nDepartmental manual, which they hoped to complete by the end of fiscal year (FY) 2013. They\nadded that it may take time for the Departmental manual to receive final approval, as the last\nDepartmental regulation, which had minimal changes, took more than a year to update.18 While\n\n12\n   75 FR 707, section 1.6(g), January 5, 2010.\n13\n   75 FR 707, section 2.1(b)(1), January 5, 2010, and 32 CFR 2001.22(b), July 1, 2010 Edition.\n14\n   75 FR 707, section 5.4(d)(4), January 5, 2010, and 32 CFR 2001.60(e) and (f), July 1, 2010 Edition.\n15\n   A violation is defined as \xe2\x80\x9cany knowing, willful, or negligent action (1) that could reasonably be expected to result\nin an unauthorized disclosure of classified information; (2) to classify or continue the classification of information\ncontrary to the requirements of this order or its implementing directives; or (3) to create or continue a special access\nprogram contrary to the requirements of this order.\xe2\x80\x9d\n16\n   75 FR 707, section 5.5(e), January 5, 2010, and 32 CFR 2001.91(a) and (d), July 1, 2010 Edition.\n17\n   75 FR 707, section 1.3(d) and 2.1(d), January 5, 2010, and 32 CFR 2001.71(c)(3) and (d)(3), July 1, 2010 Edition.\n18\n   The changes to the last Departmental regulation primarily added training for the OCA and derivative classifiers,\nand updated references to E.O. 13526 and the implementing regulation (32 CFR 2001) in various places in the\ndocument.\n\n                                                                            AUDIT REPORT 61701-0001-32                7\n\x0cthis revision is more substantial, and likely would take more time, PDSD only has two\nindividuals in the Information Security Branch to rewrite the manual, in addition to their other\nnormal duties. Because this revision is an ambitious undertaking, OIG recommends that PDSD\ndedicate the necessary resources to meet its targeted deadline. Subsequently, staff indicated that\nUSDA is making every effort possible to prioritize available resources in a manner that reflects\nthe Department\xe2\x80\x99s needs and the protection of classified information.\n\nPerformance Evaluations\n\nAccording to E.O 13526, properly designating and managing classified information must be a\ncritical element of performance evaluations of personnel whose duties significantly involve\nhandling classified information (such as OCAs and security professionals).\n\nWe found that the Departmental regulation (DR 3440-001) did not include the specific language\nregarding critical elements on performance evaluations needed to comply with E.O. 13526.\nSpecifically, while Departmental regulation requires that performance standards include\nlanguage that requires all employees who routinely handle classified information to properly\nprotect classified information, the regulation does not require such activity as a critical element\nor item on the performance evaluation.19\n\nHowever, when we reviewed the Employee Performance Plan and Appraisal Records of\nemployees whose duties involved significant handling of classified information, we found that\nthey did contain a critical element on classified material handling that met the requirements of\nthe E.O. Even though this was included on the evaluations, the regulation (DR 3440-001) should\nbe updated to address the requirement of a critical element.\n\nClassification Challenges (Declassification)\n\nE.O. 13526 states that authorized holders of information who, in good faith, believe that its\nclassification status is improper are encouraged and expected to challenge the classification\nstatus of the information. An agency head or SAO shall establish procedures allowing them to\ndo so. These procedures shall ensure that: individuals are not subject to retribution for bringing\nsuch actions; an opportunity is provided for review by an impartial official or panel; and\nindividuals are advised of their right to appeal agency decisions to the Interagency Security\nClassification Appeals Panel (ISCAP).20\n\nAdditionally, Federal regulations require that if the agency does not respond within 120 days, the\nchallenger has the right to forward the challenge to ISCAP. The challenger may also forward the\nchallenge to the panel if the agency has not responded to an internal appeal within 90 days of the\nagency\xe2\x80\x99s receipt of the appeal. Agency responses to those challenges it denies shall include the\nchallenger\xe2\x80\x99s appeal rights to the panel.21\n\n\n\n19\n   DR 3440-001, section 5c(6), October 5, 2011.\n20\n   75 FR 707, section 1.8(b), January 5, 2010.\n21\n   32 CFR 2001.14(b)(3), July 1, 2010 Edition.\n\n8     AUDIT REPORT 61701-0001-32\n\x0cWe determined the Departmental regulation and manual do not adequately advise individuals of\ntheir rights to appeal to ISCAP or establish procedures to properly process requests to ISCAP for\nexemptions to automatic declassification. The regulation and manual also do not include the\ntimeframes for challenges to be forwarded to ISCAP. PDSD officials did not agree with this\nconclusion because the Departmental manual requires classification challenges to be resolved to\nthe extent possible within 30 calendar days of receipt of a challenge. However, we believe that\nthe Departmental manual should be updated so that classifiers are aware of the appeals process\nand timeframe requirements for sending matters to ISCAP. Without a complete policy in place\nto establish these processes and the individual\xe2\x80\x99s right to appeal, individuals will not have written\nguidance to challenge the classification status of the information and may not know about their\nright to appeal to ISCAP (See Finding 7 for training deficiency regarding classification\nchallenges).\n\nIncentives for Accurate Classification\n\nIn making cash awards under chapter 45 of title 5, United States Code, the President or head of\nan executive agency with an officer or employee who is authorized to make original or derivative\nclassification decisions, may consider such officer\xe2\x80\x99s or employee\xe2\x80\x99s consistent and proper\nclassification of information.22\n\nUSDA does not offer incentives for accurate classification of information. USDA\xe2\x80\x99s OCA\nresponded that \xe2\x80\x9cwhen dealing with classified information \xe2\x80\x98incentives\xe2\x80\x99 are not used to encourage\nclassification or declassification.\xe2\x80\x9d The classification of information by the OCA \xe2\x80\x9crequires an in-\ndepth review,\xe2\x80\x9d and \xe2\x80\x9c[c]lassification management is addressed through user training and\nawareness.\xe2\x80\x9d\n\nSanctions\n\nE.O. 13526 provides that officers and employees of the U.S. Government, and its contractors,\nlicensees, certificate holders, and grantees shall be subject to appropriate sanctions if they\nknowingly, willfully, or negligently: disclose to unauthorized persons information properly\nclassified under this order or predecessor orders; classify or continue the classification of\ninformation in violation of this order or any implementing directive; create or continue a special\naccess program contrary to the requirements of this order; or contravene any other provision of\nthis order or its implementing directives.\n\nSanctions may include reprimand, suspension without pay, removal, termination of classification\nauthority, loss or denial of access to classified information, or other sanctions in accordance with\napplicable law and agency regulation. If the Director of ISOO finds that a violation has\noccurred, the Director shall make a report to the head of the agency or to the SAO so that\ncorrective steps, if appropriate, may be taken.\n\nWe found that USDA\xe2\x80\x99s Departmental manual properly addresses the requirement of sanctions\nfor security infractions and violations. The manual describes an infraction and the action to be\n\n\n22\n     Public Law 111-258, section 6, October 7, 2010.\n\n                                                               AUDIT REPORT 61701-0001-32          9\n\x0ctaken by the supervisor. A security violation is described as a more serious disregard for security\nprocedures and responsibilities. Therefore, disciplinary action will be considered for security\nviolations following the principle of progressive discipline. These actions could be: a reprimand\nor warning; a suspension without pay; or loss of security clearance or employment.23\n\nConclusions\n\nWe found that the agency had not developed a records management system to identify those\ndocuments that need to be reviewed for continued national security or declassification. In\naddition, all eight key areas reviewed were lacking proper guidance in the Departmental\nregulation and the manual provided to the subordinate agencies and offices. USDA should\ninstitute a records management system and update polices to prevent the risk of over-classifying\ndocuments, and the potential of improperly releasing national security information.\n\nRecommendation 1 to the Personnel and Document Security Division (PDSD)\nEstablish a records management system to facilitate the release of information after the\ndeclassification date.\n\nAgency Response\nIn a response dated September 19, 2013, OHSEC officials stated that to ensure classified records\nare maintained, OHSEC uses DR 3080-001 and E.O. 13526. The ISC [Information Security\nCoordinator] will be made aware of their responsibility in maintaining a separate classified\nrecords management system to the extent possible. Training will be incorporated into the annual\nrefresher and specific training for the ISC will enable the identification, preservation, and\nretirement of permanent records. The general awareness will be incorporated into the FY 2014\nannual refresher training. ISC-specific training will be developed and implemented in AgLearn\nfor all ISCs by the second quarter of 2014.\n\nOIG Position\nWe are unable to accept management decision at this time. OHSEC\xe2\x80\x99s response does not state\nthat a records management system will be developed, only that the ISCs will be made aware of\ntheir responsibility along with providing specific training to them.\n\nIn order to reach management decision, the response needs to address specific corrective actions\nthat are planned or completed by PDSD to ensure a records management system is developed\nthat will facilitate the release of information after a declassification date and provide an\nestimated date.\n\n\n\n\n23\n     DM 3440-001, chapter 9.5, May 1, 2008.\n\n10         AUDIT REPORT 61701-0001-32\n\x0cRecommendation 2 to PDSD\nReview all documents in which the declassification date has passed, in accordance with the\n\xe2\x80\x9cMandatory Review for Declassification.\xe2\x80\x9d\n\nAgency Response\nOHSEC will incorporate specific guidance into the ISC-specific training that addresses the need\nto review all classified holdings for appropriate markings and control information by the end of\nthe second quarter of FY 2014. This training will include the proper marking elements to ensure\nall responsible understand the marking and control requirements.\n\nOIG Position\nWe are unable to accept management decision at this time. The response does not state that\ndocuments in which the declassification date has passed will be reviewed. It only addresses that\ntraining will be updated to address the need to review all classified holdings.\n\nIn order to reach management decision, the response needs to state actions planned or completed\nby PDSD to ensure that all documents are reviewed in which the mandatory declassification date\nhas passed and an estimated completion date that all documents will be reviewed.\n\nRecommendations 3 to the Senior Agency Official (SAO)\nDedicate the resources to expedite the process of ensuring the Departmental regulation and\nmanual, DR 3440-001 and DM 3440-001, are updated to reflect Federal requirements\n(E.O. 13526 and 32 CFR 2001).\n\nAgency Response\nOHSEC has identified the update of the DM 3440-001 as a critical priority for FY 2014.\n\nOIG Position\nWe are unable to accept management decision at this time. The response did not provide a date\nthat the Departmental regulation and manual updates will be completed.\n\nIn order to reach management decision, an estimated completion date for issuing the updated\nDepartmental regulation and manual needs to be provided.\n\n\n\n\n                                                           AUDIT REPORT 61701-0001-32         11\n\x0cFinding 2: Effectiveness of Original Classification Authorities\nOriginal Classification Authorities (OCA) are delegated in writing, according to position, by the\nPresident, the Vice President, or an agency head or other official designated by the President, to\ninitially classify information. The OCA is responsible for approving, in writing, any\nclassification guide prepared for use by derivative classifiers.\n\nWe found that the classification guide developed by USDA24 was missing required elements\nneeded for proper derivative classification decisions. OIG concluded that this was caused by\nDepartmental omission and officials\xe2\x80\x99 misinterpretation of the regulations (See Findings 1 and 7).\nAs a result, derivative classifiers do not have adequate information to make a proper and uniform\nderivative classification decision, which could lead to a misclassification or over-classification of\ninformation.\n\nDesignation of Original Classification Authority\n\nWe determined that the Secretary of Agriculture was designated to classify information\noriginally as \xe2\x80\x9cSecret,\xe2\x80\x9d by the President, on December 29, 2009, by E.O. which also specified that\nthis authority may not be delegated (See Finding 1 concerning delegation of OCA). 25, 26\n\nOriginal Classification Authority Training\n\nAs an OCA, the Secretary is authorized to originally classify information, as well as develop\nclassification guides to facilitate the proper and uniform derivative classification of information.\nTo ensure that OCAs are aware of their responsibilities and are equipped to adequately manage\nthe agencies\xe2\x80\x99 handling of classified information, they are required to complete training.\nAccording to the OCA, initial training was completed in January 2009 and a refresher training in\nMarch 2013. However, we found that PDSD did not have documentation confirming that the\nOCA had completed the required annual training (See Finding 7 regarding OCA training).\n\nUSDA Classification Guide\n\nAs an OCA, the Secretary of Agriculture is responsible for any classification guide, which,\naccording to regulation, must be prepared to facilitate the proper and uniform derivative\nclassification of information.27\n\nAt a minimum, classification guides must:\n\n     \xc2\xb7   identify the subject matter of the classification guide;\n     \xc2\xb7   identify the original classification authority by name and position, or personal identifier;\n     \xc2\xb7   identify an agency point-of-contact for questions regarding the classification guide;\n\n24\n    USDA Carver + Shock Classification Guidance, July 2010.\n25\n   75 FR 735-736, January 5, 2010.\n26\n    As noted in Finding 1, the Departmental regulation and manual allow the OCA to re-delegate the authority to the\n\xe2\x80\x9cDeputy Secretary.\xe2\x80\x9d\n27\n   32 CFR 2001.15(a), July 1, 2010 Edition.\n\n12       AUDIT REPORT 61701-0001-32\n\x0c       \xc2\xb7   provide the date of issuance or last review;\n       \xc2\xb7   state precisely the elements of information to be protected;\n       \xc2\xb7   state which classification level applies to each element of information;\n       \xc2\xb7   state, when applicable, special handling caveats;\n       \xc2\xb7   state a concise reason for classification which, at a minimum, cites the classification\n           category in section 1.4 of E.O. 13526; and\n       \xc2\xb7   prescribe a specific date or event for declassification.28\n\nWe found issues with the Department\xe2\x80\x99s classification guide that was used by derivative\nclassifiers, and signed by the Secretary of Agriculture on July 19, 2010. Specifically, we found\nthat the classification guide does not:\n\n       \xc2\xb7   identify any agency points-of-contact, or\n       \xc2\xb7   prescribe a specific date or event for declassification.\n\nWhile PDSD staff stated that the classification guide\xe2\x80\x99s memorandum identifies various\nindividuals, such as the Assistant Secretary for Administration and the Director, Office of\nHomeland Security and Emergency Coordination, OIG noted that the memorandum does not\nspecifically identify either of these individuals as a point-of-contact for questions. PDSD staff\nagreed to update the guide to include a specifically designated point-of-contact.\n\nLastly, the classification guide gave a range of years (5 to 25), instead of a specific date or event\nfor declassification. PDSD staff stated that the subject matter experts set the duration of\nclassification based on their knowledge because they are the experts. However, the Federal\nregulation states that information classified derivatively on the basis of a classification guide\nshall carry forward the markings taken from the instructions in the appropriate classification\nguide.29 Thus, OIG concluded that the duration is to be set in the classification guide, by the\nOCA. PDSD staff did not agree and stated that the subject matter experts are the only ones that\ncan make this decision, but subsequently agreed to work with other Departmental officials to set\na specific declassification date by description in the classification guide.\n\nConclusions\n\nIn addition to identifying issues concerning USDA\xe2\x80\x99s provisions for OCA delegation and\ndocumentation of OCA training (which are detailed in Findings 1 and 7, respectively), we\ndetermined that the OCA needs to ensure that the classification guide is updated and compliant\nwith regulations to ensure that it provides derivative classifiers with necessary points-of-contact,\nas well as a specified date or event for declassification. Because a point-of-contact is not\nidentified on the classification guide, a derivative classifier may not contact the appropriate\nindividual when seeking to obtain information concerning classification of a document, which\ncould result in an incorrect classification decision. Also, because the Department used a range of\nyears, instead of a specific date or event for declassification, the derivative classifier is given the\nresponsibility to make an OCA decision concerning the duration of classification. Both of these\n\n28\n     32 CFR 2001.15(b), July 1, 2010 Edition.\n29\n     32 CFR 2001.22(a), July 1, 2010 Edition.\n\n                                                                  AUDIT REPORT 61701-0001-32         13\n\x0citems could lead to a misclassification, over-classification, or unauthorized release of classified\nnational security information.\n\nRecommendation 4 to the Original Classification Authorities (OCA)\nUpdate the classification guide to include a point-of-contact and specific date or event for\ndeclassification.\n\nAgency Response\nOHSEC believes that further guidance from ISOO is required. OHSEC will provide ISOO\xe2\x80\x99s\nguidance to OIG during the first quarter of FY 2014.\n\nOIG Position\nWe are unable to accept management decision at this time. The response states that ISOO will\nbe contacted for guidance but does not state that the classification guide will be updated.\n\nIn order to reach management decision, the response needs to specify an estimated completion\ndate that the OCA will issue the updated classification guide that includes the required\ninformation.\n\nRecommendation 5 to PDSD\nDevelop and implement procedures to review and update the classification guide when\nregulatory changes occur to ensure future compliance.\n\nAgency Response\nOHSEC will prepare a policy memorandum outlining the new procedures. The memorandum\nwill be distributed by the end of the first quarter of FY 2014.\n\nOIG Position\nWe accept management decision for this recommendation.\n\n\n\n\n14     AUDIT REPORT 61701-0001-32\n\x0cFinding 3: Effectiveness of Original Classification Decisions and\nDissemination Control Marking Decisions\nOriginal classification decisions and the proper marking of classified information, to include\nproper application of dissemination and control markings, need improvement, as USDA did not\nproperly mark classified documents. Specifically, OIG reviewed the two documents that\nreceived original classification, during the timeframe covered by our audit, and found that\nneither had been properly marked to include the OCA\xe2\x80\x99s identification or the reason for\nclassification.30 This occurred because the documents were initially determined to be derivative\nclassifications, but were subsequently changed to original classifications and did not receive\nupdated markings. Individuals relying on these documents as reference material to make\nderivative classification decisions may not have the necessary information to correctly mark the\nclassified documents, which could result in an over-classification, misclassification, or\nunauthorized release of classified information.\n\nE.O. 13526, section 1.6, and 32 CFR 2001, subpart C, require that, at the time of classification,\noriginally classified documents shall include the following markings in a manner that is\nimmediately apparent:\n\n       \xc2\xb7   the name and position of the classifier, or personal identifier (\xe2\x80\x9cclassified by\xe2\x80\x9d line);\n       \xc2\xb7   agency and office of origin;\n       \xc2\xb7   reason for classification;\n       \xc2\xb7   declassification instructions (\xe2\x80\x9cdeclassify on\xe2\x80\x9d line);\n       \xc2\xb7   overall marking;\n       \xc2\xb7   portion marking; and\n       \xc2\xb7   date of origin of document.\n\nThe Food Safety and Inspection Service, a USDA agency, initially marked the two documents as\nderivative classifications. Specifically, the two documents had the following derivative\nclassification markings: portion markings, overall classification, \xe2\x80\x9cdeclassify on,\xe2\x80\x9d and \xe2\x80\x9cderived\nfrom.\xe2\x80\x9d31 However, after consultation with PDSD, it was determined that the documents were\noriginal classifications, as they contained new information. The OCA classified both documents\nat the \xe2\x80\x9cSecret\xe2\x80\x9d level on November 3, 2010, by signing a memorandum.\n\nOIG reviewed these two documents and found that, although the documents were approved as\noriginal classifications, the markings on the documents were not updated once the original\nclassification was approved. As a result, the documents do not indicate the reviewer(s) of the\ndocuments. A PDSD official confirmed that the markings were not updated. Because of the\ninfrequency of original classification decisions in the Department, a checklist outlining the\nrequired markings for the OCA to apply would assist in ensuring documents are appropriately\nmarked.\n\n\n\n30\n     These two documents were the only original classification documents in USDA in our universe.\n31\n     For more information on required derivative classification markings, see Finding 4.\n\n                                                                       AUDIT REPORT 61701-0001-32    15\n\x0cConclusions\n\nWe found that the Department needs to improve its review of classified documents to ensure that\ninformation is appropriately marked. Because all required markings were not included on the\ndocuments, an individual using these documents as a reference for a derivative classification\ndecision may not have the necessary information to correctly mark the document. This could\nresult in an over-classification, misclassification, or unauthorized release of classified\ninformation.\n\nRecommendation 6 to the OCA\nCorrect the markings on the two originally classified documents so that it is clear that the\ndocuments are original classifications, not derivative classifications.\n\nAgency Response\nOHSEC will correct the markings by end of the first quarter of FY 2014.\n\nOIG Position\nWe are unable to accept management decision at this time. The response states that OHSEC will\ncorrect the markings on the documents. However, OHSEC does not have original classification\nauthority. Since the two documents were approved as original classifications by the OCA, this\nindividual would have to approve any corrections by OHSEC on the documents.\n\nIn order to reach management decision, the response needs to specify that the OCA will review\nand approve any changes to the markings on the originally classified documents and provide an\nestimated completion date.\n\nRecommendation 7 to PDSD\nDevelop and implement a checklist to be used by the OCA, at the time of classification, to ensure\nthat all originally classified documents include the required markings.\n\nAgency Response\nOHSEC will develop a checklist by end of the first quarter in FY 2014.\n\nOIG Position\nWe accept management decision for this recommendation.\n\n\n\n\n16     AUDIT REPORT 61701-0001-32\n\x0cFinding 4: Effectiveness of Derivative Classification Decisions and\nDissemination Control Marking Decisions\nDerivative classification means incorporating, paraphrasing, restating, or generating in new form\ninformation that is already classified, and marking the newly developed material consistent with\nthe classification markings that apply to the source information. Derivative classification\nincludes the classification of information based on classification guidance. The duplication or\nreproduction of existing classified information is not derivative classification.\n\nWe found that USDA personnel did not properly mark derivatively classified documents. Our\nreview of 14 documents, derivatively classified between October 2010 and April 2013, found\nthat 9 did not identify who was applying the markings, 8 did not carry forward the\ndeclassification date, and 7 did not contain the portion markings. These derivative classification\nmarkings were missing because staff misunderstood how to mark these documents and, instead,\nmistakenly treated them as working papers. Until staff are fully familiar with specific classified\ndocuments\xe2\x80\x99 marking requirements, USDA runs the risk of over-classifying or improperly\nreleasing national security information.\n\nThe Federal regulation governing classified national security information details a uniform\nsecurity classification system, which requires that standard markings be applied to classified\ninformation. Additionally, the regulation states that the markings of classified information shall\nnot deviate, unless approved by the Director of ISOO. Markings must be uniformly and\nconspicuously applied to leave no doubt about the classified status of the information, the level\nof protection required, and the duration of classification.32 Derivatively classified documents\nmust carry forward the markings from the source document or follow marking instructions in the\nappropriate classification guide.33 The required markings of derivatively classified information\nare:\n\n       \xc2\xb7    \xe2\x80\x9cClassified By\xe2\x80\x9d \xe2\x80\x93 the identity of the person applying the derivative classification by\n            name and position or personal identifier (if not evident, the agency and office of origin\n            shall be identified and follow the name on the \xe2\x80\x9cClassify by\xe2\x80\x9d line).\n       \xc2\xb7    \xe2\x80\x9cDerived From\xe2\x80\x9d \xe2\x80\x93 the source of the information; if multiple sources, the marking can\n            state \xe2\x80\x9cmultiple sources,\xe2\x80\x9d but a list must be included or attached (including the agency,\n            office of origin, and the date of the source document or guide).\n       \xc2\xb7    \xe2\x80\x9cDeclassify On\xe2\x80\x9d \xe2\x80\x93 the declassification date will be carried forward from the source\n            document or the duration instruction from the classification guide; however, if multiple\n            source documents are used, then the longest duration of any of its source documents is\n            used.\n       \xc2\xb7    Overall classification \xe2\x80\x93 the highest level of classification of information contained within\n            the document, placed conspicuously at the top and bottom of the outside front cover (if\n            any), on the title page (if any), on the top and bottom of every page, and on the outside\n            of the back cover (if any).\n\n\n32\n     32 CFR 2001.20, July 1, 2010 Edition.\n33\n     32 CFR 2001.22(a), July 1, 2010 Edition.\n\n                                                                 AUDIT REPORT 61701-0001-32         17\n\x0c     \xc2\xb7   Portion markings \xe2\x80\x93 each portion of a derivatively classified document shall be marked\n         immediately preceding the portion to which it applies, in accordance with its source\n         document.\n     \xc2\xb7   Date of origin of document \xe2\x80\x93 the date of origin of the document must be indicated in a\n         manner that is immediately apparent.\n     \xc2\xb7   Dissemination control and handling markings \xe2\x80\x93 additional control and handling\n         markings that supplement the overall classification markings, if required by the\n         agency.34\n\nThe only exception to these requirements is for a working paper. Working papers are defined as\ndocuments or materials, regardless of the media, which are expected to be revised prior to the\npreparation of a finished product for dissemination or retention. If a document or material is\nexpected to be released by the originator outside of the originating activity, retained for more\nthan 180 days from date of origin, or filed permanently, then it must be portion marked in the\nsame manner as described for a finished document.35\n\nWe reviewed a total of 14 derivatively classified documents within the scope of our review\n(October 2010 through April 2013). Of the 14, 9 were briefing documents36 (one of which was\nclassified as Top Secret\xe2\x80\x93sensitive compartmented information). We found that none of the nine\nbriefing documents contained all the required markings. While all the briefing documents were\nmarked with the overall marking of Secret or Top-Secret, they did not contain all of the\nremaining required elements, such as who classified the document, the source of the information,\nwhen it was to be declassified, or the portion markings. Therefore, those that received the\nbriefing would not know what parts of the documents were unclassified, making such portions of\nthe briefings over-classified.\n\nBased on our review, we determined that staff misunderstood how to handle briefing documents,\ndue to insufficient training and guidance (For additional issues on training, see Finding 7). One\nperson interviewed believed that if the presentation was not going to be maintained longer than\n180 days (working paper retention period), it did not need all the markings. As the briefing\ndocuments were not meant to be maintained, the individual saw these as working papers. As a\nworking paper, the briefing documents would be considered \xe2\x80\x9cdraft\xe2\x80\x9d documents, not to be\nreleased by the originator, and portion marking would not be required. However, because the\ndocuments were used for presentation and released outside of the originating activity, the\nrequired markings must be applied. An agency official confirmed that these documents were\nimproperly marked. He further stated that when briefing documents are presented to individuals\noutside the agency, the proper markings must be applied.\n\nConclusions\n\nWe found that because personnel were not sufficiently aware that briefing documents containing\nclassified information are not to be treated as working papers, these briefing documents did not\n\n\n34\n   32 CFR 2001.22(b-i), July 1, 2010 Edition.\n35\n   32 CFR 2001.24(d), July 1, 2010 Edition.\n36\n   The documents consisted of briefing slides.\n\n18       AUDIT REPORT 61701-0001-32\n\x0creceive all the necessary markings. While a derivative classifier referred to these missing\nelements as \xe2\x80\x9cadministrative errors,\xe2\x80\x9d these errors could result in over-classification of\ninformation. It is therefore crucial that all staff who are responsible for marking these documents\nhave an understanding of the various classified documents and their particular marking\nrequirements and that the Department take steps to ensure that its documents are properly\nmarked.\n\nRecommendation 8 to PDSD\nDevelop and conduct specialized training for derivative classifiers that discusses the differences\nbetween working papers and finished documents and the marking requirements, as described in\nthe regulation.\n\nAgency Response\nOHSEC will deliver specialized training for derivative classifiers by the end of the second\nquarter of FY 2014.\n\nOIG Position\nWe accept management decision for this recommendation.\n\nRecommendation 9 to PDSD\nCoordinate with the subordinate agencies to review all USDA classified documents maintained,\nand correct all improper markings identified.\n\nAgency Response\nOHSEC will lead a review process with all subordinate agencies to review and correct all USDA\nclassified documents as needed by the end of FY 2014.\n\nOIG Position\n\nWe accept management decision for this recommendation.\n\n\n\n\n                                                             AUDIT REPORT 61701-0001-32         19\n\x0cFinding 5: Effectiveness of Security Self-Inspection Program\nThe SAO is required to establish a self-inspection program and report annually on it to the\nDirector of ISOO. We determined that USDA does not ensure that its subordinate agencies are\nconducting self-inspections in accordance with regulations and procedures. We also found that\nthe program was ineffective at providing information about the structure and implementation of\nUSDA\xe2\x80\x99s self-inspection program and reporting on the findings from this program. This occurred\nbecause PDSD Information Security staff do not follow up with subordinate agencies to obtain\nand maintain adequate documentation of self-inspections subordinate agencies have conducted\n(See Finding 6). Therefore, USDA is unable to effectively track the findings or\nrecommendations for improvement that resulted from the self-inspections conducted by its\nsubordinate agencies. Additionally, USDA does not have complete information summarizing the\nresults of its self-inspection program, which is necessary to adequately determine the\neffectiveness of its classified national security information program within individual agency\nactivities and the Department as a whole.\n\nE.O. 1352637 and the Federal regulation38 require SAOs to establish self-inspection programs.\nAccording to USDA\xe2\x80\x99s Departmental manual, self-inspections should be completed a minimum\nof every 2 years by agencies that receive, generate, and store classified information. Copies of\nthe inspection report must be sent within 5 calendar days to PDSD for record purposes. The\nreport should also be forwarded to senior agency management for their overall program security\nawareness and to assist them in planning for future security upgrades or expenses. E.O. 13526\nand the Federal regulation39 also require SAOs to report annually on their self-inspection\nprogram to the Director of ISOO. The report provides information about the structure and\nimplementation of the agency's self-inspection program and identifies the findings from this\nprogram, which has been established by the SAO to help oversee the agency's classified national\nsecurity information program.\n\nThe information contained in the self-inspection report(s) should flow as follows: The first part\nof the report is a description of the agency's self-inspection program that outlines how the\nprogram addresses the requirements of the regulation.40 The second part is an account of the\nfindings of the agency's self-inspection program. This must include an assessment and summary\nof the findings and specific information about the review of the agency's original and derivative\nclassification actions. Also, it is essential that the report identify corrective actions that have\nbeen taken or are planned to address deficiencies and misclassification actions. Lastly, if best\npractices were identified during the self-inspections, they should be included in the report as\nwell.\n\nBecause PDSD Information Security staff do not maintain documentation of the self-inspections,\nOIG was unable to verify that subordinate agencies performed self-inspections. USDA reported\nto ISOO on the Agency Security Classification Management Program Data Report (Standard\n\n\n37\n   75 FR 707, section 5.4(d)(4), January 5, 2010.\n38\n   32 CFR 2001.60(b), July 1, 2010 Edition.\n39\n   32 CFR 2001.60(f)(2), July 1, 2010 Edition.\n40\n   32 CFR 2001.60(a-e), July 1, 2010 Edition.\n\n20      AUDIT REPORT 61701-0001-32\n\x0cForm (SF)-311) that 10, 3, and 13 self-inspections had been conducted in FYs 2010, 2011, and\n2012, respectively. However, when requested by OIG, the Information Security staff were only\nable to provide documentation to support three self-inspections performed in FY 2012 (See\nFinding 6).\n\nThe documentation of self-inspections is necessary in order for PDSD to track findings and\ndetermine whether corrective action has been taken. Without these self-inspection reports, OIG\nwas unable to review findings or corrective actions from the remaining 23 self-inspection reports\nand concluded that the self-inspection program was ineffective. The staff agreed that\nimprovement is needed in the documentation of the self-inspection program.\n\nWe also noted problems with how USDA was reporting to ISOO on the Department\xe2\x80\x99s self-\ninspection program (See Finding 6). We reviewed the reports from the previous 2 fiscal years\nand noted that required information was not provided to ISOO. Specifically, the USDA\xe2\x80\x99s\nFY 2011 annual self-inspection report did not include the following information:\n\n   \xc2\xb7   A description of the agency's self-inspection program to include activities assessed,\n       program areas covered, and methodology utilized.\n   \xc2\xb7   An assessment and a summary of the findings of the agency's self-inspection program\n       in the following program areas: original classification, derivative classification,\n       declassification, safeguarding, security violations, and management and oversight.\n   \xc2\xb7   Specific information with regard to the findings of the annual review of the agency's\n       original and derivative classification actions to include the volume of classified\n       materials reviewed and the number and type of discrepancies identified.\n   \xc2\xb7   Actions that have been taken or are planned to correct identified program deficiencies,\n       marking discrepancies, or misclassification actions, and to deter their reoccurrence.\n   \xc2\xb7   Best practices that were identified during self-inspections.\n\nSimilar deficiencies were noted in the FY 2012 annual self-inspection report. This report did\nnot include the following information:\n\n   \xc2\xb7   A description of the agency's self-inspection program to include activities assessed,\n       program areas covered, and methodology utilized.\n   \xc2\xb7   An assessment and a summary of the findings of the agency's self-inspection program\n       in the following program areas: derivative classification and security violations.\n   \xc2\xb7   Specific information with regard to the findings of the annual review of the agency's\n       derivative classification actions to include the volume of classified materials reviewed\n       and the number and type of discrepancies identified.\n   \xc2\xb7   Best practices that were identified during self-inspections.\n\nPDSD staff stated that, while they try to gather the missing information, due to resource\nconstraints, they allow the subordinate agencies to complete the self-inspection and send in their\nresults to PDSD. They acknowledged that in some cases, they may not have received all the\nself-inspections (See Finding 6).\n\n\n\n                                                             AUDIT REPORT 61701-0001-32           21\n\x0cAlso, ISOO conducted a review of USDA\xe2\x80\x99s classified national security information program in\n2005 and found a high percentage of classified documents with marking errors, which indicated\nUSDA\xe2\x80\x99s prior corrective actions were not adequate to eliminate future marking errors.41\n\nConclusions\n\nSelf-inspections can be a valuable guide to pinpointing deficiencies and effectively addressing\nthem. If the self-inspection program is not gathering the necessary information, or the self-\ninspections are not performed regularly and as required, the self-inspection program\xe2\x80\x99s impact\nwill be greatly weakened and the issues will persist. For instance, in 2005, ISOO reported a high\npercentage of classified documents with marking errors. A self-inspection program, which\nincludes the requirements for marking classified documents, that is efficiently conducted and\ndocumented, could assist PDSD in identifying and addressing continued issues regarding\nmarking errors (See Findings 3 and 4).\n\nBecause ISOO relies on the information agencies report to determine the status of the\nclassification programs in both Government and industry on an annual basis, it is essential that\nUSDA ensures it is reporting complete information. Without proper documentation of a self-\ninspection program, and reporting of essential security information to ISOO, USDA is unable to\nensure that it has an effective classified national security information program.\n\nRecommendation 10 to the SAO\nDirect all subordinate agencies to schedule, conduct, and document self-inspections and provide\nthe completed inspections to PDSD.\n\nAgency Response\nAs answered in Recommendation 9, OHSEC will coordinate with subordinate agencies to\nschedule, conduct, and document self-inspections by the end of FY 2014.\n\nOIG Position\n\nWe accept management decision for this recommendation.\n\nRecommendation 11 to the SAO\nDevelop and implement procedures that require PDSD to report to the SAO on the completion of\nthe subordinate agency self-inspections.\n\n\n\n\n41\n     ISOO Report of On-site Review and Document Review of USDA, December 5, 2005.\n\n22        AUDIT REPORT 61701-0001-32\n\x0cAgency Response\nCurrently, the SAO has provided a response through the required SF-311 reporting process. This\nprocess will be updated by the end of the first quarter FY 2014 to ensure all SF-311 reports are\nsubmitted to the SAO or their designee prior to being submitted to ISOO.\n\nOIG Position\nWe are unable to accept management decision at this time. The response stated that the process\nwill be updated to ensure that all SF-311s are provided to the SAO or designee before being\nprovided to ISOO. However, the recommendation requires PDSD to report to the SAO on the\ncompletion of the subordinate agency self-inspections, not completing the SF-311s, which was\naddressed in Finding 6.\n\nIn order to reach management decision, the response needs to specify that a procedure will be\ndeveloped that requires PDSD to report to the SAO on the completion of the subordinate agency\nself-inspections and provide an estimated completion date for implementation of the procedure\nby the SAO.\n\nRecommendation 12 to the OCA\nDevelop and implement procedures that require the SAO to review and verify that the annual\nself-inspection report includes all required information, prior to submitting the report to ISOO.\n\nAgency Response\nAs identified in Recommendation 11, this process will be updated by the end of the first quarter\nof FY 2014.\n\nOIG Position\nWe are unable to accept management decision at this time. The response did not address the\ndevelopment of procedures to require the SAO to verify that all required information was\nincluded in the annual self-inspection report. Instead, the response discussed a different report,\nthe SF-311 that is provided to ISOO.\n\nIn order to reach management decision, the response needs to specify that the procedure will be\ndeveloped and provide an estimated completion date for implementation of the procedure by the\nOCA.\n\n\n\n\n                                                             AUDIT REPORT 61701-0001-32          23\n\x0cFinding 6: Effectiveness of Security Reporting\nEach agency, e.g., USDA, is required to gather information and report on the state of its security\nprogram. We found that USDA has not effectively gathered information and reported statistics\nrelated to its security classification program. This occurred because USDA\xe2\x80\x99s subordinate\nagencies do not always provide PDSD with reports containing the needed information or\ndocumentation. As a result, ISOO may be receiving and relying upon incomplete or inaccurate\ninformation concerning the status of USDA\xe2\x80\x99s security classification program.\n\nAccording to Federal regulation,42 each agency that creates or safeguards classified information\nmust annually report to the Director of ISOO statistics related to its security classification\nprogram by using the Agency Security Classification Management Program Data Report\n(SF-311). The SF-311 is a data collection form completed only by those Executive branch\nagencies that create and/or handle classified national security information.\n\nTo meet these requirements, each USDA subordinate agency must annually complete an\nindividual SF-311 and submit it to PDSD. PDSD Information Security staff then compile this\ninformation into a comprehensive SF-311. PDSD submitted the comprehensive forms to ISOO\nfor FYs 2010, 2011, and 2012, on behalf of USDA.\n\nIf subordinate agencies have not submitted their reports, the agency (USDA) may request an\nextension from ISOO or submit the comprehensive SF-311, with an annotation stating which\nsubordinate agencies did not submit their reports, and ISOO will note this in the annual report.\nAdditionally, if an agency estimates the number of derivative classification decisions, the\nsampling period and multiplier used shall be annotated in the comments section of the SF-311.\n\nWe found that USDA\xe2\x80\x99s comprehensive SF-311s submitted to ISOO contained unsupported data\nthat, at times, conflicted with the data submitted in the subordinate agencies\xe2\x80\x99 SF-311s. For\nexample, in FY 2011, USDA reported 531 derivative classification decisions, but the SF-311s\nprovided by subordinate agencies supported only 103. Similarly, in FY 2012, USDA reported\n7,179 derivative classification decisions, while subordinate agencies\xe2\x80\x99 SF-311s supported\nonly 6,439.\n\nWe also found that USDA\xe2\x80\x99s comprehensive reports to ISOO did not always accurately reflect the\nnumber of self-inspections reported by subordinate agencies. The table below presents the\nnumber of self-inspections reported to both ISOO and PDSD for FYs 2010, 2011, and 2012.\n\n            FY                Number of Self-Inspections   Number of Self-Inspections\n                                 Reported to ISOO             Reported to PDSD\n           2010                             10                         10\n           2011                              3                         10\n           2012                             13                          7\n\n\n\n\n42\n     32 CFR 2001.90(b), July 1, 2010 Edition.\n\n24         AUDIT REPORT 61701-0001-32\n\x0cPDSD Information Security staff stated that these variances occurred because not all subordinate\nagencies responded to PDSD\xe2\x80\x99s annual request for data, and PDSD did not have the ability to\nenforce compliance. OIG found that USDA does not have guidance in place directing\nsubordinate agencies to annually submit the required statistical information. PDSD Information\nSecurity staff further explained that, because subordinate agencies do not always provide\nstatistical information to PDSD, PDSD must often contact each subordinate agency individually\nto obtain the required data. PDSD Information Security staff may then adjust the numbers based\non the verbal contact and their own knowledge of the agency\xe2\x80\x99s classified national security\ninformation activity for the year.\n\nWe found that PDSD did not document in the SF-311 comments section how it calculated\nestimated statistics. Additionally, when requested, PDSD staff were unable to determine how the\ncalculation was performed and could not provide documentation for the basis of the estimate.\nThis occurred primarily because PDSD does not have procedures in place to document the\nstatistical information it receives, or to document any changes or estimations of this information.\n\nOIG noted that USDA may request to extend its deadline in order to have more time to follow up\nwith subordinate agencies. Additionally, USDA must notify ISOO which subordinate agencies\ndid not report, so that ISOO can include this information in the annual report. Finally, when\nestimating numbers and statistics, PDSD should document and explain its methodology for doing\nso in the comments section when submitting this information to ISOO, as required.\n\nConclusions\n\nPDSD can improve the accuracy of its annual report (SF-311) if it obtains information from all\nsubordinate agencies and it fully documents methodologies for estimating information. While\nOIG acknowledges that individual followup can be lengthy and time-consuming, requesting\nextensions, as well as reporting which subordinate agencies did not provide information, will\nincrease the likelihood of subordinate agencies providing accurate information. Additionally,\nUSDA must have clear procedures and direction for both PDSD and subordinate agencies on\nhow to document the numbers they report. USDA must ensure that it is submitting accurate\ninformation to ISOO, since this information is crucial to ensuring the effectiveness of statistical\nreporting.\n\nRecommendation 13 to the SAO\nDirect all subordinate agencies to provide required statistical information to PDSD annually to\nensure accurate reporting to ISOO.\n\nAgency Response\nAdditional direction will be provided to the subordinate agencies outlining the requirement to\nprovide annual reporting by the end of the first quarter of FY 2014.\n\n\n\n\n                                                              AUDIT REPORT 61701-0001-32         25\n\x0cOIG Position\nWe accept management decision for this recommendation.\n\nRecommendation 14 to PDSD\nDevelop procedures to fully document the statistical information (including methodologies\nutilized for changing or estimating data) used to support the annual report to ISOO.\n\nAgency Response\nOHSEC will develop procedures to document the information by the end of the second quarter of\nFY 2014.\n\nOIG Position\nWe accept management decision for this recommendation.\n\n\n\n\n26     AUDIT REPORT 61701-0001-32\n\x0cFinding 7: Effectiveness of Security Education and Training\nPDSD\xe2\x80\x99s classification management training content and documentation need to be improved on a\nmore general level, particularly in providing required information to individuals with security\nclearances. Specifically, we found that PDSD does not maintain records of the training provided\noutside of AgLearn,43 and the training documents for the Classified National Security\nInformation Annual Refresher Briefing did not cover all the required elements of the biennial\ntraining. This occurred because the training records management system is inadequate, and\ntraining documents have not been updated to cover all required topics. As a result, there is a\ngreater risk that individuals creating or handling classified information have not been adequately\ntrained to do so. This may result in over-classification, misclassification, or improper release of\nnational security information.\n\nAccording to Federal regulation, all executive branch employees who create, process, or handle\nclassified information must undergo training. All agencies are to conduct training tailored to the\norganization, using briefings, interactive videos, dissemination of instructional materials, online\npresentations, or other methods, and maintain records about the training and the employees who\nparticipated in the training.44\n\nOCAs are required to receive training before classifying original information and then at least\nonce each calendar year thereafter. The annual training must include guidance on proper\nclassification and declassification procedures, with an emphasis on the avoidance of over-\nclassification. Everyone who applies derivative classification markings is to receive training on\nproper application of the derivative classification principles before classifying information, and\nretraining at least once every 2 years.\n\nThe biennial training for derivative classifiers must include:\n\n     \xc2\xb7   principles of derivative classification;\n     \xc2\xb7   classification levels;\n     \xc2\xb7   duration of classification;\n     \xc2\xb7   identification and markings;\n     \xc2\xb7   classification prohibitions and limitations;\n     \xc2\xb7   sanctions;\n     \xc2\xb7   classification challenges;\n     \xc2\xb7   security classification guides; and\n     \xc2\xb7   information sharing.\n\n\n\n\n43\n   The Agriculture Learning (AgLearn) system is USDA\xe2\x80\x99s Departmentwide system for managing training records\nand activity at USDA.\n44\n   32 CFR 2001.70, July 1, 2010 Edition.\n\n                                                                   AUDIT REPORT 61701-0001-32            27\n\x0cThe regulation also states that the penalty for not completing the mandatory training for either an\nOCA or a derivative classification authority (DCA) is a suspension of the individual\xe2\x80\x99s authority\nuntil the training is completed.45\n\nWe found that USDA\xe2\x80\x99s current training efforts need improvement to meet these requirements.\nUSDA incorporated the required biennial training for DCAs with its annual refresher on security\neducation and training through the online training system AgLearn. The agency stated that this\ntraining was given to everyone who holds a security clearance that gives them the authority to\nhandle, create, or process classified information. We reviewed training records for 128 of these\nindividuals to verify they had received training and that the training received met the\nrequirements for possible derivative classifiers.46\n\nWe found that the USDA\xe2\x80\x99s training program and retention of training records was not in\naccordance with ISOO\xe2\x80\x99s regulations and the E.O., and lacked key information. Specifically, the\nAgLearn training did not cover:\n\n     \xc2\xb7   avoidance of over-classification;\n     \xc2\xb7   prohibitions and limitations on classification;\n     \xc2\xb7   classification challenges; and\n     \xc2\xb7   information sharing.\n\nIn addition to not covering the above elements, the AgLearn training did not clearly address:\n\n     \xc2\xb7   principles of derivative classification;\n     \xc2\xb7   duration of classification; and\n     \xc2\xb7   classification guides.\n\nAs a result, the USDA employees who took the training through AgLearn were not properly\ntrained in all aspects of derivative classification.\n\nPDSD also did not keep sufficient documentation to support that all Secure Network (SN) users\ncompleted the training. This had been an issue which ISOO reported in 2005. We found that of\nthe 128 SN users, PDSD did not have records showing that 28 of these users completed the\ntraining through AgLearn. Furthermore, PDSD could not provide evidence that the OCA had\nreceived the required annual training. Additionally, while PDSD officials stated that anyone\nwho could not complete the training in AgLearn did so through an alternative process, they were\nable to provide documentation supporting that only 9 of the 28 users had completed training\nthrough this process. Therefore, 19 of the 128 SN users may not have received the required\ntraining.\n\n45\n   32 CFR 2001.71(c)(3)(i-ii) states that \xe2\x80\x9c[a]n agency head, deputy agency head, or senior agency official may grant\na waiver of this requirement if an individual is unable to receive this training due to unavoidable circumstances. All\nsuch waivers shall be documented. Whenever such a waiver is granted, the individual shall receive the required\ntraining as soon as possible.\xe2\x80\x9d\n46\n   These individuals were identified by PDSD as having Secure Network (SN) accounts. Individuals within USDA\nthat have an SN account could potentially create a derivatively classified document because classified information\ncan only be processed on a certified and accredited computer system.\n\n28       AUDIT REPORT 61701-0001-32\n\x0cPDSD officials stated that they did not waive the training requirement for those who could not\ncomplete the training for various reasons. However, PDSD does provide extensions for\ncompleting the training on a case-by-case basis, such as when a user was on military orders,\nAgLearn was not working, or users were unable to access AgLearn from their location. When\nasked about suspending an original or derivative classifier\xe2\x80\x99s authority to classify, as required by\nthe regulation, PDSD officials stated that there were no suspensions.\n\nConclusions\n\nPDSD needs to take further steps to ensure that all personnel who handle, create, and process\nclassified information receive adequate training. This requires training content that\ncomprehensively covers all requirements, and a method of documenting which personnel have\nreceived such training. Training is necessary to ensure that the OCA and DCAs have satisfactory\nknowledge and understanding of classification, safeguarding, and declassification of national\nclassified information. Training also increases uniformity and reduces over-classification or\nimproper classification, improper safeguarding, and inappropriate or inadequate declassification\npractices. Because PDSD does not waive the training requirement or suspend anyone\xe2\x80\x99s authority\nto classify information, it must maintain records of training for everyone within USDA who has\na security clearance.\n\nRecommendation 15 to PDSD\nDevelop, complete, and record computer-based training (AgLearn) that meets all the\nrequirements for the original and derivative classification authorities.\n\nAgency Response\nOHSEC is currently updating the FY 2014 computer-based training, and requirements will be\nmet by the end of FY 2014.\n\nOIG Position\nWe accept management decision for this recommendation.\n\nRecommendation 16 to PDSD\nEstablish a tracking system to record and manage training completed outside of AgLearn for\neveryone with original or derivative classification authorities.\n\nAgency Response\nUSDA considers AgLearn the authoritative tool for providing training and education to its\nemployees on a myriad of subject matter that is conducive to their personal and professional\ndevelopment. OHSEC utilizes this methodology to reach the estimated 3,500 cleared staff\n\n\n                                                             AUDIT REPORT 61701-0001-32          29\n\x0cwithin all of the agencies that comprise USDA and considers the completion reports that come\nfrom AgLearn as an authoritative document.\n\nOIG Position\nWe are unable to accept management decision at this time. The response did not provide a\nmethod to record training for those individuals who are not able to complete it in the AgLearn\nsystem and therefore must complete it in an alternative manner.\n\nIn order to reach management decision, OHSEC needs to develop a process to record and\nmanage training for those individuals who are not able to access the AgLearn system and must\ncomplete it through an alternative method and provide an estimated completion date.\n\nRecommendation 17 to PDSD\nDevelop procedures that identify those original or derivative classification authorities who do not\ncomplete required training annually or biennially, as appropriate, and suspend those individuals\xe2\x80\x99\nauthority to classify information, until training is completed.\n\nAgency Response\nOHSEC will recommend suspension for anyone who does not complete their training and who\ndoes not have approval for an exemption.\n\nOIG Position\nWe are unable to accept management decision at this time. OHSEC stated that it will\nrecommend suspension for anyone who does not complete their training but did not include\nprocedures that will be developed to suspend individuals.\n\nIn order to reach management decision, OHSEC needs to specify the actions planned or\ncompleted to develop procedures to identify and address those individuals who do not complete\nthe required training and suspend those individuals\xe2\x80\x99 authority along with an estimated\ncompletion date.\n\n\n\n\n30     AUDIT REPORT 61701-0001-32\n\x0cScope\xc2\xa0and\xc2\xa0Methodology\xc2\xa0\nOur audit examined 31 documents classified by USDA at the \xe2\x80\x9cSecret\xe2\x80\x9d and \xe2\x80\x9cTop-Secret\xe2\x80\x9d level,\neither originally or derivatively (16 classified since October 1, 2010, and 15 classified prior to\nthat date). We conducted fieldwork from February 2013 through July 2013. We conducted our\naudit by visiting OHSEC in Washington, D.C., as well as five locations that store classified\nnational security information (four in Washington, D.C., and one storage location in Riverdale,\nMaryland).\n\nWe used a guide that was prepared by a working group of participating Inspectors General (IG),\nfor all IG offices participating in this Governmentwide effort, on behalf of the Council of the\nInspectors General on Integrity and Efficiency. The guide was developed to meet the\nrequirements of Public Law 111-258, Reducing Over-Classification Act, regarding the\nresponsibilities of each participating Department and agency. The IG working group was formed\nto ensure consistency in the evaluative process, comparable reporting, and the ability to compare\nresults across agencies. As directed by the Act, we consulted with ISOO and coordinated\nthroughout the evaluation with another IG office, with the intent of ensuring that our review\nfollowed a consistent methodology to allow for cross-agency comparisons. We were assisted\nduring our review of determining the appropriateness of classification decisions by auditors from\nthe Defense Intelligence Agency.\n\nUSDA did not maintain an inventory of all classified documents. To select documents for\nreview, we first obtained a list of 128 individuals with Secure Network (SN) accounts from\nPDSD. This SN serves as a classified Automated Information System to provide cleared\nanalysts the ability to communicate within the classified environment. This network is not a\nUSDA information system; it is controlled and owned by another Federal Government agency.\nWe did not evaluate the effectiveness of this information system or its controls, as the proper\nclassification, declassification, and marking of classified national security information is\nmanually controlled by the OCA and the DCA at the time a classification decision is made. As\nsuch, we did not rely upon an information system to obtain sufficient, appropriate evidence to\nsupport the findings presented in this report.\n\nThe list of individuals with SN accounts obtained included names and telephone numbers, as\nwell as the individual\xe2\x80\x99s agency and office. Of the 128 SN users listed, one individual was\nremoved from the list, due to retirement/transfer. Therefore, OIG sent 127 SN users a survey\naimed at establishing the number of DCA decisions made since October 1, 2010. Of the\n127 surveys sent out, 12 of the recipients were either out of the country, their account had been\nterminated after we were provided the listing, or they were on extended leave and no\nresponse was expected. Of the 115 individuals remaining, 90 responded to our survey. Based on\nthe surveys received, eight individuals indicated they had made DCA decisions since October 1,\n2010. We interviewed these 8 individuals, and were able to identify and review 14 DCA\ndeterminations made since October 1, 2010, and available for our review at the time the\nfieldwork was conducted. OIG also identified and reviewed two OCA determinations made\nsince October 1, 2010. In addition, OIG selected 14 DCA documents and 1 OCA document\noutside the scope of the audit (prior to October 1, 2010) to evaluate whether the agency is\nproactive with its declassification procedures.\n\n                                                             AUDIT REPORT 61701-0001-32         31\n\x0cOur review focused on eight areas: original classification authority; general program\nmanagement responsibilities; original classification; derivative classification; declassification;\nself-inspections; reporting and definitions; and security education and training.\n\nTo discern whether Departmental policies and practices were consistent with E.O. 13526 and\n32 CFR 2001, we used the following tools developed by ISOO:\n\n     \xc2\xb7   an agency regulation implementing assessment tool;\n     \xc2\xb7   methodology for determining the appropriateness of an original classification decision;\n     \xc2\xb7   original classification authority interview coverage;\n     \xc2\xb7   methodology for determining appropriateness of a derivative classification decision; and\n     \xc2\xb7   derivative classifier interview coverage.\n\nTo further assess whether policies, procedures, rules, regulations, and practices had been\nadopted, followed, and effectively administered, as well as to identify policies and practices that\nmay be contributing to persistent misclassification, we also:\n\n     \xc2\xb7   examined the results of the fundamental classification guidance review;\n     \xc2\xb7   examined the results of self-inspection reporting;\n     \xc2\xb7   examined Forms SF-311, \xe2\x80\x9cAgency Security Classification Management Program Data\xe2\x80\x9d;\n     \xc2\xb7   reviewed relevant policies, regulations, and related studies;\n     \xc2\xb7   reviewed 31 classified documents;\n     \xc2\xb7   conducted a survey/questionnaire of original and derivative classifiers;\n     \xc2\xb7   interviewed two security managers, along with eight derivative classifiers; and\n     \xc2\xb7   interviewed key department officials responsible for security training and related policy\n         development and implementation.\n\nWe conducted this performance audit in accordance with generally accepted government\nauditing standards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions,\nbased on our audit objectives. We believe that the evidence obtained provides a reasonable basis\nfor our findings and conclusions, based on our objectives.\n\n\n\n\n32       AUDIT REPORT 61701-0001-32\n\x0cAbbreviations\xc2\xa0\nAgLearn .....................Agriculture Learning system\nCFR ............................ Code of Federal Regulations\nDCA ........................... Derivative Classification Authority\nDM ............................. Departmental Manual\nDR .............................. Departmental Regulation\nE.O. ............................ Executive Order\nFR ............................... Federal Register\nFY .............................. Fiscal Year\nIG ............................... Inspector General\nISC ............................. Interagency Security Coordinator\nISCAP ........................ Interagency Security Classification Appeals Panel\nISOO .......................... Information Security Oversight Office\nOCA ........................... Original Classification Authority\nOHSEC ...................... Office of Homeland Security and Emergency Coordination\nOIG ............................ Office of Inspector General\nPDSD ......................... Personnel and Document Security Division\nSAO............................ Senior Agency Official\nSF ............................... Standard Form\nSN .............................. Secure Network\nUSDA......................... U.S. Department of Agriculture\n\n\n\n\n                                                            AUDIT REPORT 61701-0001-32   33\n\x0cExhibit\xc2\xa0A:\xc2\xa0Effectiveness\xc2\xa0of\xc2\xa0Classification\xc2\xa0Management\xc2\xa0Policies\xc2\xa0and\xc2\xa0\nControl\xc2\xa0Marking\xc2\xa0Guidelines\xc2\xa0\xc2\xa0\nIn the following table, the first column describes the requirement, the second column provides\nthe citation source for the requirement, and the third column describes how USDA\xe2\x80\x99s current\npolicy differs from the requirement shown in column one.\n\n               Criteria                           Citation                      USDA\xe2\x80\x99s\xc2\xa0Current\n                                                                             Regulation and Manual\n      Original Classification\n            Authority\n\nOCA was given to the Secretary of         75 FR 735-736                USDA\xe2\x80\x99s regulation and manual both\nAgriculture who \xe2\x80\x9cmay not delegate                                      state the Secretary \xe2\x80\x9cmay re-delegate\xe2\x80\x9d\nthe authority\xe2\x80\x9d (see Finding 1).                                        OCA to the Deputy Secretary.\nGeneral Program Management\n\nOCAs and DCAs are suspended, until        75 FR 707, sections 1.3(d)   Agency guidance does not provide a\nmandatory training requirements are       and 2.1(d); and              penalty (suspension) for not completing\nmet (see Finding 1).                      32 CFR 2001.71(c)(3) and     the required training.\n                                          (d)(3)\n      Original Classification\n\nOriginal classification authority is      75 FR 707, section           Agency guidance does not cite the OCA\nclassifying the information.              1.1(a)(1)                    classification standards.\n\nIf there is significant doubt about the   75 FR 707, section 1.1(b)    Agency guidance does not discuss the\nneed to classify information.                                          presumption against classification when\n                                                                       doubt exists.\n\nClassified addendum (see Finding 1).      75 FR 707, section 1.6(g)    The use of a classified addendum is not\n                                                                       discussed in agency guidance.\n\nDate of origin of document.               32 CFR 2001.21(e)            Agency guidance does not specify that\n                                                                       the date of origin of a classified\n                                                                       document must be applied to OCA\n                                                                       documents.\n\nElectronic environment markings for       32 CFR 2001.23               USDA\xe2\x80\x99s manual covered the marking of\nclassified: e-mails, web pages,                                        electronic external removable data\nuniform resource locators (URL),                                       storage device (use of label) and e-mails\ndatabases, bulletin boards, wikis,                                     only (DM 3440-001, chapter 4, sections\ninstant messaging, and attached files.                                 4b(6) and 7).\n\nIndividuals must be advised of their      75 FR 707, section 1.8       The manual does not advise individuals\nright to appeal agency decisions to       (b)(3)                       of this right.\nISCAP (see Finding 1).\n\n\n\n34      AUDIT REPORT 61701-0001-32\n\x0cClassification Challenges                 32 CFR 2001.14(b)(3)          Agency guidance does not address these\n    \xc2\xb7 initial written response to a                                     timeframes. The manual only addresses\n        challenge within 60 days.                                       a 30-calendar day response from PDSD\n    \xc2\xb7 if unable to respond to the                                       (DM 3440-001, chapter 2.1.f).\n        challenge within 60 days, the\n        agency must acknowledge\n        the challenge in writing, and\n        provide a date by which the\n        agency will respond.\n    \xc2\xb7 must include a statement that,\n        if no agency response is\n        received within 120 days, the\n        challenger has the right to\n        forward the challenge to\n        ISCAP for a decision.\n    \xc2\xb7 forward the challenge to\n        ISCAP if an agency has not\n        responded to an internal\n        appeal within 90 days (see\n        Finding 1).\n\nClassification guides shall conform to    75 FR 707, section 2.2(a      Agency guidance does not contain\nstandards and be reviewed and             and c)                        procedures for the publication and\nupdated.                                                                updating of classification guides which\n                                                                        meet the minimum standards.\n    Derivative Classification\n\nDCA needs to be identified by name        75 FR 707, section            Agency guidance does not require the\nand position, or by personal identifier   2.1(b)(1); and                name or personal identifier of those who\n(see Finding 1).                          32 CFR 2001.22(b)             apply derivative classification markings.\n\n\nTransmittal document markings.            32 CFR 2001.24(b)             Agency guidance does not discuss the\n                                                                        required markings for transmittal\n                                                                        documents.\n\nDate of origin of document.               32 CFR 2001.22(i)             Agency guidance does not specify that\n                                                                        the date of origin of a classified\n                                                                        document must be applied to DCA\n                                                                        documents.\n          Declassification\n\nAutomatic Declassification.               75 FR 707, section 3.3;       Agency guidance does not include\n                                          and 32 CFR 2001.30(m)         procedures for processing requests to\n                                                                        ISCAP for exemptions from automatic\n                                                                        declassification.\n\n\n\n\n                                                                     AUDIT REPORT 61701-0001-32          35\n\x0cAn agency shall notify ISCAP of any 75 FR 707, section 3.3;           Agency guidance does not include a\nspecific file series of records that falls and 32 CFR 2001.30(n)(5)   process for file series exemptions.\nwithin one or more of the automatic\ndeclassification exemption\ncategories.\n\nEach agency shall publish in the          32 CFR 2001.33(a)           Agency mandatory declassification\nFederal Register regulations                                          procedures were not published in the\nconcerning the handling of                                            Federal Register.\nmandatory declassification.\n          Self-Inspections\n\nSAO shall report annually to the          75 FR 707, section          Agency guidance does not address the\nDirector of ISOO on the agency\xe2\x80\x99s          5.4(d)(4); 32 CFR           external reporting of self-inspections.\nself-inspection program. The report       2001.60(f)(2); and\nshall include: description of the         32 CFR 2001.90(d)\nagency\xe2\x80\x99s self-inspection program;\nassessment and a summary of the\nfindings; specific information\nregarding the findings; the action\ntaken; and best practices (see\nFinding 1).\n\nRegular reviews of representative         32 CFR 2001.60(c)(2)        Agency guidance does not discuss\nsamples of the agency\xe2\x80\x99s original and                                  reviewing representative samples of\nderivative classification actions shall                               OCA and DCA documents and\nencompass all agency activities that                                  corrections of misclassifications.\ngenerate classified information.\n     Reporting and Definitions\n\nEach agency shall report annually to      32 CFR 2001.90(b)           Agency guidance does not address\nthe Director of ISOO statistics related                               statistical reporting.\nto its security classification program.\n\nAgencies shall report annually to the     32 CFR 2001.91(a), and      Agency guidance does not require a\nDirector of ISOO regarding security       32 CFR 2001.91(d)           report to the Director of ISOO regarding\nviolations and/or improper                                            security violations and/or improper\ndeclassifications.                                                    declassifications.\n\nDefinitions as provided in the E.O.       75 FR 707, section 6.1;     Agency guidance does not include all\nand CFR                                   and 32 CFR 2001.92          definitions in accordance with the EO\n                                                                      and 32 CFR 2001.\n\nAn initial fundamental classification     32 CFR 2001.16(a)           Agency guidance does not address a\nguidance review shall be completed                                    fundamental classification guidance\nno later than June 27, 2012, and at                                   review.\nleast once every 5 years thereafter.\n\n\n\n\n36      AUDIT REPORT 61701-0001-32\n\x0c       Security Education\n          and Training\n\nThe agency may grant a waiver of the   32 CFR 2001.71(c)(3),      Agency guidance does not cover the\ntraining requirement due to            and 32 CFR 2001.71(d)(3)   waiver process for delays in training.\nunavoidable circumstances. Waivers\nshall be documented and training\nshould be taken as soon as\npracticable.\n\n\n\n\n                                                             AUDIT REPORT 61701-0001-32            37\n\x0c38   AUDIT REPORT 61701-0001-32\n\x0cAgency's\xc2\xa0Response\xc2\xa0\n\n\n\n\n                USDA\xe2\x80\x99S\n     OFFICE OF HOMELAND SECURITY\n    AND\xc2\xa0EMERGENCY\xc2\xa0COORDINATION\xe2\x80\x99S\xc2\xa0\xc2\xa0\n       RESPONSE\xc2\xa0TO\xc2\xa0AUDIT\xc2\xa0REPORT\xc2\xa0\n\n\n\n\n                      AUDIT REPORT 61701-0001-32   39\n\x0c\x0cUnited States\nDepartment of\nAgriculture          September 19, 2013\nOffice of Homeland\nSecurity and\nEmergency\nCoordination         Mr. Gil Hardin\n1400 Independence\n                     Assistant Inspector General for Audit\nAvenue SW            Office of the Inspector General\nWashington, DC\n                     Washington, D.C. 20250\n20250\n                     Dear Mr. Hardin:\n\n                     Thank you for your letter on August 5, 2013, regarding the Classification\n                     Management Inspection Response for fiscal year 2013, Audit Number: 61701-0001-\n                     32.\n\n                     We have reviewed the official draft report on the subject audit. We appreciate the\n                     opportunity to provide responses on the findings and the suggested\n                     recommendations. We have included the proposed corrective actions to be\n                     implemented, including timeframes for completion in the attachment.\n\n                     Should you need clarification or additional information, please contact\n                     Mr. Cody Allers, Chief, Personnel and Document Security Division at\n                     (202)720-7373 or at cody.allers@dm.usda.gov.\n\n                     Sincerely,\n\n\n                     /S/\n\n                     Todd H. Repass, Jr.\n                     Director\n                     Office of Homeland Security\n                      and Emergency Coordination\n\n\n\n                     Attachments\n\x0cAttachment\nAudit number -61701-0001-32 Response\n\nFinding 1: Effectiveness of Security Program Management\n\n    \xc2\xb7   Recommendation 1 to the Personnel and Document Security Division\n        (PDSD)\n\n        Establish a records management system to facilitate the release of\n        information after declassification date.\n\n        Agency Response, Corrective action:\n\n        To ensure classified records are maintained OHSEC uses DR 3080-001 and\n        E.O. 13526. The ISC will be made aware of their responsibility in maintaining a\n        separate classified records management system to the extent possible. Training\n        will be incorporated into the annual refresher and specific training for the ISC\n        will enable the identification, preservation, and retirement of permanent records.\n        The general awareness will be incorporated into the FY 2014 annual refresher\n        training. ISC specific training will be developed and implemented in AgLearn\n        for all ISC by the second quarter of 2014.\n\n    \xc2\xb7   Recommendation 2 to PDSD\n\n        Review all documents in which the declassification date has passed, in\n        accordance with the \xe2\x80\x9cMandatory Review for Declassification.\xe2\x80\x9d\n\n        Agency Response, Corrective action:\n\n        OHSEC will incorporate specific guidance into the ISC specific training that\n        addresses the need to review all classified holdings for appropriate markings\n        and control information by the end of the second quarter of FY2014. This\n        training will include the proper marking elements to ensure all responsible\n        understand the marking and control requirements.\n\n    \xc2\xb7   Recommendation 3 to the Senior Agency Official (SAO)\n\n        Dedicate the resources to expedite the process of ensuring the\n        Departmental Regulation and Manual, DR 3440-001 and DM 3440-001,\n        are updated to reflect Federal requirements (E.O. 13526 and 32 CFR 2001).\n\n        Agency Response, Corrective action:\n\n        OHSEC has identified the update of the DM 3440-001 as a critical priority for\n        FY2014.\n\n\n\n\n                                            1\n\x0cAttachment\nAudit number -61701-0001-32 Response\n\nFinding 2: Effectiveness of Original Classification Authorities\n\n    \xc2\xb7   Recommendation 4 to PDSD\n\n        Update the classification guide to include a point of contact and specific\n        date or event for declassification.\n\n        Agency Response, Corrective action:\n\n         OHSEC believes that further guidance from Information Security Oversight\n        Office (ISOO) is required. OHSEC will provide ISOO\xe2\x80\x99s guidance to OIG during\n        the first quarter of FY2014.\n\n    \xc2\xb7   Recommendation 5 to PDSD\n\n        Develop and implement procedures to review and update the classification guide\n        when regulatory changes occur to ensure future compliance.\n\n        Agency Response, Corrective action:\n\n        OHSEC will prepare a policy memorandum outlining the new procedures. The\n        memorandum will be distributed by the end of the first quarter of FY2014.\n\nFinding 3: Effectiveness of Original Classification Decisions and Dissemination\nControl Marking Decisions\n\n    \xc2\xb7   Recommendation 6 to the Original Classification Authority (OCA)\n\n        Correct the markings on the two originally classified documents so that\n        it is clear that the documents are original classifications, not derivative\n        classifications.\n\n        Agency Response, Corrective action:\n\n        OHSEC will correct the markings by end of the first quarter of FY2014.\n\n\n    \xc2\xb7   Recommendation 7 to PDSD\n\n        Develop and implement a checklist to be used by the OCA, at the time of\n        classification, to ensure that all originally classified documents include the\n        required markings.\n\n        Agency Response, Corrective Action:\n\n        OHSEC will develop a checklist by end of the first quarter in FY2014.\n\n                                             2\n\x0cAttachment\nAudit number -61701-0001-32 Response\n\n\nFinding 4: Effectiveness of Derivative Classification Decisions and Dissemination\nControl Marking Decisions.\n\n    \xc2\xb7    Recommendation 8 to PDSD\n\n         Develop and conduct specialized training for derivative classifiers that\n         discusses the differences between working papers and finished documents and\n         the marking requirements, as described in the regulation.\n\n         Agency Response, Corrective action:\n\n        OHSEC will deliver specialized training for Derivative Classifiers by the end\n        of the second quarter of FY2014.\n\n    \xc2\xb7    Recommendation 9 to PDSD\n\n         Coordinate with the subordinate agencies to ensure that review of all USDA\n         classified documents are maintained; and correct all improper markings\n         identified, as needed.\n\n         Agency Response, Corrective Action:\n\n         OHSEC will lead a review process with all subordinate agencies to review and\n         correct all USDA classified documents as needed by the end of FY2014.\n\nFinding 5: Effectiveness of Security Self-Inspection Program\n\n    \xc2\xb7    Recommendation 10 to the OCA\n         Direct all subordinate agencies to schedule, conduct, and document self-\n         inspections. The completed inspections should be submitted to the Personnel\n         and Document Security Division (PDSD).\n\n         Agency Response, Corrective Action:\n\n         As answered in recommendation number 9 OHSEC will coordinate with\n         subordinate agencies to schedule conduct and document self inspections by the\n         end of FY2014.\n\n\n\n    \xc2\xb7    Recommendation 11 to SAO\n         Develop and implement procedures that require PDSD to report to the SAO on\n         the completion of the subordinate agency self-inspections.\n\n                                            3\n\x0cAttachment\nAudit number -61701-0001-32 Response\n\n\n        Agency Response, Corrective Action:\n\n\n\n        Currently, the SAO has provided a response through the required SF-311\n        Reporting process. This process will be updated by end the first quarter FY2014\n        to ensure all SF-311 reports are submitted to the SAO or their designee prior to\n        being submitted to ISOO.\n\n    \xc2\xb7   Recommendation 12 to OCA\n        Develop and implement procedures that require the SAO to review and verify\n        that the annual self-inspection report includes all required information, prior to\n        submitting the report to the Information Security Oversight Office (ISOO).\n\n        Agency Response, Corrective action:\n\n        As identified in number 11 this process will be updated by the end of first quarter\n        of FY2014.\n\nFinding 6: Effectiveness of Security Reporting\n\n    \xc2\xb7   Recommendation 13 to OCA\n        Direct all subordinate agencies to provide required statistical information to\n        PDSD annually to ensure accurate reporting to the Information Security\n        Oversight Office (ISOO).\n\n        Agency Response, Corrective Action:\n\n        Additional direction will be provided to the subordinate agencies outlining the\n        requirement to provide annual reporting by the end of the first quarter of\n        FY2014.\n\n    \xc2\xb7   Recommendation 14 to PDSD\n        Develop procedures to fully document (including methodologies used for\n        changing or estimating data) the statistical information used to support the\n        annual report to the Information Security Oversight Office (ISOO).\n\n        Agency Response, Corrective Action:\n\n        OHSEC will develop procedures to document the information by the end of the\n        second quarter of FY2014.\n\n\n\n                                             4\n\x0cAttachment\nAudit number -61701-0001-32 Response\n\nFinding 7: Effectiveness of Security Education and Training\n\n    \xc2\xb7   Recommendation 15 to PDSD\n\n        Develop, complete, and record computer-based training (AgLearn)\n        that meets all the requirements for the original and derivative\n        classification authorities.\n\n        Agency Response, Corrective Action:\n\n        OHSEC is currently updating the FY2014 computer base training and\n        requirements will be met by the end of FY2014.\n\n    \xc2\xb7   Recommendation 16 to PDSD\n\n        Establish a tracking system to record and manage training completed outside of\n        AgLearn for everyone with original or derivative classification authority.\n\n        Agency Response, Corrective Action:\n\n        USDA considers AgLearn the authoritative tool for providing training and\n        education to its employees on a myriad of subject matter that is conducive to\n        their personal and professional development. OHSEC utilizes this methodology\n        to reach the estimated 3500 cleared staff within all of the agencies that comprise\n        USDA and considers the completion reports that come from AgLearn as an\n        authoritative document.\n\n    \xc2\xb7   Recommendation 17 to PDSD\n\n        Develop procedures that identify those original or derivative classification\n        authorities who do not complete required training annually or biennially, as\n        appropriate, and suspend those individual\xe2\x80\x99s authorization to classify\n        information, until training is completed.\n\n        Agency Response\n\n        OHSEC will recommend suspension for anyone who does not complete their\n        training and who does not have approval for an exemption.\n\n\n\n\n                                            5\n\x0c To learn more about OIG, visit our website at\n www.usda.gov/oig/index.htm\n How To Report Suspected Wrongdoing in USDA Programs\n\n Fraud, Waste and Abuse\n e-mail: USDA.HOTLINE@oig.usda.gov\n phone: 800-424-9121\n fax: 202-690-2474\n\n Bribes or Gratuities\n 202-720-7257 (24 hours a day)\n\n\n\n\nThe U.S. Department of Agriculture (USDA) prohibits discrimination in all of its programs and activities on\nthe basis of race, color, national origin, age, disability, and where applicable, sex (including gender identity\nand expression), marital status, familial status, parental status, religion, sexual orientation, political beliefs,\ngenetic information, reprisal, or because all or part of an individual\xe2\x80\x99s income is derived from any public\nassistance program. (Not all prohibited bases apply to all programs.) Persons with disabilities who require\nalternative means for communication of program information (Braille, large print, audiotape, etc.) should\ncontact USDA\xe2\x80\x99s TARGET Center at (202) 720-2600 (voice and TDD).\nTo file a complaint of discrimination, write to USDA, Assistant Secretary for Civil Rights, Office of the Assistant\nSecretary for Civil Rights, 1400 Independence Avenue, S.W., Stop 9410, Washington, DC 20250-9410, or call\ntoll-free at (866) 632-9992 (English) or (800) 877-8339 (TDD) or (866) 377-8642 (English Federal-relay) or\n(800) 845-6136 (Spanish Federal relay).USDA is an equal opportunity provider and employer.\n\x0c"